CVE-2026-9811

A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields...

CVE-2026-9811

A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields...

Stored-XSS-in-Inventory-System-using-PHP-and-MySQL

Stored XSS in Inventory System using PHP and MySQL Vulnera...

CVE-2026-34241 CtrlPanel: Stored XSS in Ticket Reply Notifications Allows Session Hijacking

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting XSS vulnerability in the ticket reply notification system. Unsanitized reply content $newmessage is stored directly in database notification payloads and later rendered...

PT-2026-42017

Name of the Vulnerable Software and Affected Versions CtrlPanel versions prior to 1.2.0 Description A Stored Cross-Site Scripting XSS issue exists in the ticket reply notification system. Unsanitized content from the $newmessage variable is stored in database notification payloads and rendered...

Strapi 代码问题漏洞

Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 5.33.3 had code vulnerabilities. These vulnerabilities stemmed from a flaw in the Content API endpoint of the Upload plugin, which did not enforce the MIME type...

PT-2026-40844

Name of the Vulnerable Software and Affected Versions Argo CD versions prior to 3.2.12 Argo CD versions prior to 3.3.10 Argo CD versions prior to 3.4.2 Description A stored cross-site scripting XSS issue exists in the application Summary tab. A user with application write access developer role ca...

Missing Origin Validation in WebSockets

Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via missing origin validation in all WebSocket endpoints. An attacker can gain unauthorized access to authenticated WebSocket sessions by tricking a logged-in administrator into visiting a malicio...

Stored-Cross-Site-Scripting-XSS-in-Donor-Registration-Leading-to-Admin-Session-Hijacking

Stored XSS in BloodBank Managing System — Donor Registration...

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of the ip parameter in the UserLocation plugin's testIP.php process. An attacker can execute arbitrary JavaScript in the...

CVE-2026-32891

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the...

PT-2026-25783

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the ping ipaddr parameter ...

CVE-2026-27621

TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting XSS vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a...

CVE-2026-27621

TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting XSS vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a...

PT-2026-21273

SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile front.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field,...

PT-2026-20514

Name of the Vulnerable Software and Affected Versions MajorDoMo versions affected versions not specified Description The software contains a stored cross-site scripting XSS issue through method parameter injection into the shoutbox. The /objects/?method= API endpoint allows unauthenticated...

CVE-2020-37153

ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, and potentially execute arbitrary code with...

CVE-2020-37153 ASTPP VoIP 4.0.1 - Remote Code Execution

ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, and potentially execute arbitrary code with...

Cross-site Scripting (XSS)

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of the Address Line 1 field in inventory locations. An attacker can execute arbitrary JavaScript in an administrator's browser by submitting crafte...

Cross-site Scripting (XSS)

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Name and Description fields in the tax categories section of the admin panel. An attacker can execute arbitrary JavaScript code in the context of an administrator's...